Communications from remote site behind firewall over IPSEC tunnel
I wonder if anyone can help with this situation.
We have a number of remote sites which connect into our head office using ADSL.
The remote sites have Cisco 837 routers and communicate with head office over IPSEC tunnel which terminates on our PIX515E.
All this has been working fine.
We've recently connected another customer to our head office using the same method.
However, at the customer's end, their devices sit behind another firewall (a PIX I think) which connects to the Cisco 837 ADSL router and then to our Head Office.
The problem is, we can't get communications to work between the users behind their firewall and our head office network.
We can communicate from devices on our head office LAN to the remote site's ADSL router's Ethernet subnet no problem.
If they connect a laptop straight into the ADSL router, configured with an address on the same ethernet subnet then, again, they can communicate with our head office devices no problem.
But if they try to connect through their firewall then their attempts just timeout.
I don't know much about their set-up other than they have a global (outside) address configured which is in the same address range as the Ethernet subnet of the ADSL router.
This address translates to their internal IP address range (of which we have no knowledge).
When I enabled cache flowing to look at the conversations through the router, I can see some connections between their firewall IP address and IP addresses on our head office subnet. Though there are only ever 2 or 3 packets whenever they attempt a connection. The users just see the connections eventually timing out.
Does anyone have any ideas what the problem could be? I'd really appreciate it as I'm getting nowhere fast at the moment!
Re: Communications from remote site behind firewall over IPSEC t
Looks like I spoke too soon.
This has stopped working again! I know for certain that nothing has changed on our side of the network and the customer tells me that nothing has changed on their side either.
When it was working, if I looked at the netflow cache on the ADSL router, I could see connections between the customers firewall IP Address (on same ethernet subnet as the ADSL router) and our head office servers.
When it stopped working, I could no longer see any attempted connection between the customer's firewall and our head office servers.
However, the customer was able to telnet to the ADSL router ok and, in this case, I could see the connection ok.
But why should this have suddenly stopped working? It doesnt seem to make any sense! Anyone got any suggestions? Im getting desperate now!
Re: Communications from remote site behind firewall over IPSEC t
If you are seeing the firewall ip address talking to your servers then it means they are doing PAT on the other end. If the ip addresses on the ethernet side of the 837 are rfc 1918 addresses then have them configure a global range of addresse on the pix not just one address so that they have one-on-one static translation.
Alternatively you can have them do a NAT 0 on their pix so that their internal ip address are not natted
The customer LAN and Customer Firewall is outwith my control - I believe they have a PIX.
The ADSL router is a Cisco 837 running 12.3(2)XE3
The Head Office firewall is a PIX515E running 6.3(5)
An IPSEC tunnel has been established between the head office PIX and the ADSL router.
The ADSL router is configured to send traffic from the address range on its Ethernet subnet to the Head Office servers over the IPSEC tunnel. (Any other traffic will be NAT'd and sent to the internet)
The Head Office PIX has been configured to exempt traffic from the Head Office servers to the customer's LAN from the NAT process and sends it over the IPSEC tunnel established with the ADSL router.
We have this set-up running at a large number of sites without any problem. The only difference in this case is the Customer's LAN is behind a firewall. (For the other sites we have, their LAN is directly connected into the ADSL router)
I can connect between the ADSL router and the Head office servers without any problem. The tunnel is established (sh crypto isakmp sa) and traffic has been encrypted/decrpyted (sh crypto ipsec sa)
If the Customer plugs a device directly into the same LAN as the Ethernet subnet on the ADSL router, they can communicate with our servers without a problem.
If the Customer attempts to connect from behind their firewall to our Head Office servers, the connections are timing out.
However, it was successfully running for a couple of hours. When it was working, I was able to see connections from their Firewall IP (address in same subnet as Ethernet interface of ADSL router) and the Head office servers using the netflow commands on the ADSL router. (So I assume they are using PAT to hide the internal addresses on their LAN)
On the PIX firewall at Head Office, I could also see TCP connections (Remote Desktop) between the servers and the customer's firewall IP.
This suddenly stopped working. I can't see any sign of any problems on the logs in the ADSL router or on the PIX firewall at Head Office. (I can see TCP connections between the servers and the Customer's FW IP have been reset from outside, not sure if this is significant?)
After that, I just don't see anymore traffic from the Customer's FW to our head office servers at all.
But I can still connect to the ADSL router ok from our Head Office LAN, the tunnel is up and established and everything seems to be ok!
Can anyone give any help as to where the problem is and how to resolve this? I'm really struggling now! I would say it seems to be something at the customer's firewall but they are insistent that they have everything configured correctly to route traffice for our head office servers via the ADSL router.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :